open-standards
open-standards copied to clipboard
co-cddo
Proposal for security.txt as a mandated standard
Title
Proposal for security.txt as a mandated standard
Category
- [ ] Data
- [ ] Document
- [X] Technical
- [ ] Other Suggestions
Challenge Owner
Ollie N - NCSC Vulnerability Management Lead
Short Description
Security vulnerabilities are discovered all the time and people want to be able to report them directly to the organisation responsible. One of the most important elements of vulnerability disclosure is understanding who to contact. Security.txt is a proposed Internet standard and it describes a text file that webmasters can host in the “/.well-known” directory of the domain root. It advertises the organisation’s vulnerability disclosure process so that someone can quickly find all of the information needed to report a vulnerability. More information is available at: The NCSC is also advocating security.txt as part of its Vulnerability Disclosure Toolkit and Vulnerability Disclosure Pilot for Government Departments. Vulnerability disclosure is also part of the updated minimum cyber security standards.
https://securitytxt.org https://www.ncsc.gov.uk/information/vulnerability-disclosure-toolkit
User Need
Ensuring any security vulnerabilities that are identified can be quickly, easily and securely reported directly to the affected system owner. This speeds up the reporting and remediation time and reduces the risk of compromise.
Expected Benefits
System owners have a dedicated vulnerability reporting process with a defined policy. This streamlines the process and ensures the vulnerability information gets directly to those who can address it. Security researcher are able to easily report vulnerabilities in a clear and secure process and reduces the risk the information is publicly disclosed.
Costs: A vulnerability disclosure policy has already been provided (see below) and publishing a security.txt should not cost anything additional. Savings: Potentially saving time and money in the speed at which a vulnerability can be remediated before any compromise.
Functional Needs
- Have an agreed internal process for the escalation of reported vulnerabilities.
- Have a published vulnerability disclosure policy. NCSC has provided a hosted Government-wide disclosure policy: https://github.com/ukncsc/Vulnerability-Disclosure/blob/master/UK-Government-Vulnerability-Disclosure-Policy.md
- Publish a security.txt file to the “/.well-known” directory of the domain root (and other subdomains if required).
- The security.txt file should contain two key fields:
- CONTACT: How finders should report vulnerabilities. For example, the email address of a link to a secure web form.
- POLICY: A link to the organisation’s vulnerability disclosure policy.
Thanks Ollie. A few more links for those following.
- Cabinet Office's current security.txt can be seen at https://vdp.cabinetoffice.gov.uk/.well-known/security.txt
- Current draft of the IETF standard is at https://tools.ietf.org/html/draft-foudil-securitytxt-11
Also adopted by part of HMRC https://www.tax.service.gov.uk/.well-known/security.txt redirecting to https://raw.githubusercontent.com/hmrc/security-guidance/main/security.txt
See https://github.com/hmrc/security-guidance
FYI: The document was published as RFC 9116 in April 2022, with the Informational status. A diff between draft 11 (mentioned earlier) and RFC 9116 is available at https://author-tools.ietf.org/iddiff?url1=draft-foudil-securitytxt-11&url2=rfc9116&difftype=--html
As another datapoint, Cloudflare hosts a security.txt for their own collection of Internet origins, and provide open source tooling - https://github.com/cloudflare/securitytxt-worker - to help customers serve security.txt from their own zones (where a zone is a delegation of DNS zone or subzone to Cloudflare, for the purposes of being the authoritative edge)
see: https://blog.cloudflare.com/security-dot-txt/
As per housekeeping practices we are closing this with the status as a mandated standard.
